computing with encrypted data and programs
TRANSCRIPT
-
COMPUTING WITH ENCRYPTED DATA AND PROGRAMS
Shai Halevi (IBM Research)
CCC Symposium --- May 10, 2016
-
THE WONDERFUL CLOUD
2
-
THE WONDERFUL CLOUD not so
3
-
CRYPTOGRAPHY TO THE RESCUE?
Wouldnt it be nice to be able to Encrypt my data before sending to cloud While still allowing the cloud to search/
sort/edit/ this data on my behalf Keeping the data in encrypted form
Without shipping it back and forth to be decrypted
4
-
CRYPTOGRAPHY TO THE RESCUE?
Wouldnt it be nice to be able to Encrypt my queries to the cloud
While still letting the cloud process them
Cloud returns encrypted answers that I can decrypt
5
-
HOMOMORPHIC ENCRYPTION
Alice
Server (Cloud)
(Input: data x, key k)
I want 1) the cloud to process my data 2) even though it is encrypted.
Enck[f(x)]
Enck(x)
function f
f(x)
Run Eval[ f, Enck(x) ]
= Enck[f(x)]
The special sauce! Running Eval should be
efficient
This could be encrypted too.
Delegation: Encrypting x and decrypting f(x) is cheaper
than computing f(x) myself.
6
-
BRIEF HISTORY
Possibility noted in the early days of public-key encryption [RAD78]
Many somewhat homomorphic schemes over the years Can only compute (very) limited functions E.g., only linear functions
First fully homomorphic PKE in [Gen09] FHE can compute any function (in principle)
Rapid advances since then Better security, much better efficiency 7
-
HOW CAN THIS BE?
A simple (symmetric) example [vDGHV10]: Bit-by-bit encryption (plaintext space is {0,1}) Secret key is an odd integer Ciphertexts are integers close to multiples of + (with ||)
The encrypted bit is the LSB of the noise (zero when is even, one when it is odd)
Add/mult the integer ciphertexts correspond to add/mult of the plaintext bits (mod 2) As long as the noise remains
p x= pq + r
8
-
HOW CAN THIS BE?
A simple (symmetric) example [vDGHV10]: Bit-by-bit encryption (plaintext space is {0,1}) Secret key is an integer Ciphertexts are integers close to multiples of + (||)
The encrypted bit is the LSB of the noise (zero when is even, one when it is odd)
Add/mult the integer ciphertexts correspond to add/mult of the plaintext bits (mod 2) As long as the noise remains
p x= pq + r
Any function can be implemented from addition
& multiplication operations
9
-
THREE GENERATIONS OF FHE
1G. First plausible candidate in [Gen09] Ciphertext is noisy Noise grows with computation
Once too noisy, the signal is lost
Noise exponential in the degree of the function Parameters must be huge, to allow large noise
2G. [BV11, BGV12,]: Better noise control Noise grows linearly with degree Ciphertext packing: many plaintext elements
packed in a single ciphertext 10
-
THREE GENERATIONS OF FHE
1G. Fast accumulation of noise 2G. Better noise management + packing 3G. [GSW13,]: Asymmetric noise growth
Very slow noise growth for some circuits
But slow noise growth in 3G is incompatible with ciphertext-packing (as far as we know)
For efficiency, we have a choice: 2G+packing (faster asymptotically) or 3G+small-noise (sometimes faster in practice)
11
-
SPEED OF FHE
1E+8 infeasible
1800
0.1
0.01
0.0001 0.0001
0.001
0.01
0.1
1
10
100
1000
10000
100000
1000000
10000000
100000000
Sec
on
ds/
bit
Year
2010 2011 2012 2013 2014
Estimated amortized time for computing a single bit operation on encrypted data
Moores law
Still a long way to go
12
-
BEYOND HOMOMORPHIC ENCRYPTION
Attribute-based Encryption (ABE) Functional Encryption (FE) Code Obfuscation
-
LIMITATIONS OF FHE
FHE is very powerful But access to data is all-or-nothing
Without the secret key, all you see is a meaningless ciphertext
If you have the secret key, you can read the result but also intermediate values
Computation is unrestricted Cant limit the functions that can be
computed on encrypted data 14
-
ATTRIBUTE-BASED ENCRYPTION (ABE) [S84, SW05]
One PK, many partial secret keys Each key associated with some attributes Encrypt under PK and policy P Only key with attributes satisfying P can
decrypt Useful for controlling access to
Access-control baked into ciphertext
But no computation on encrypted data Decryption recovers unmodified
15
-
WHAT WE WANT
FHE and ABEs Love Child Functional Encryption (FE): Controlled
encrypted computation Each key is restricted to one specific Can compute () from ENC() using
Unlike FHE: gets () in the clear But only for this one function , on this
Another similar construct: code obfuscation, secrets in software
16
-
CODE OBFUSCATION
Encrypting programs, maintaining their functionality Program Encrypted program Given and any , compute ()=() But otherwise hides whatever secrets
that depends on Example: patching software
Patch includes description of vulnerability Encrypted patch works the same, but
hides the vulnerability 17
-
WHAT WE THINK WE HAVE
FHE and ABEs Love Child, but not fully developed
Proof of concept obfuscation, FE Using multilinear maps Security is unclear Performance even worse than FHE in 2010
Blooming theory on use of FE, obfuscation Marvelous constructions, links to other
concepts in crypto, computer-science 18
-
THE ROAD AHEAD
FHE, ABE, FE, Obfuscation Very powerful tools
Open the door to new application Used to be science fiction E.g., software agents that can hide secrets
even from the hosts that run them
FHE, ABE on the road to usability Can already be used in niche application
FE, obfuscation still in their infancy 19
-
THE ROAD AHEAD
A related topic: verifiable computation Integrity for cloud computing Alice delegate work to the cloud, want a
proof that the results are correct
Great progress here too Also on the road to usability
20
-
QUESTIONS?
21